Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Build to Hack, Hack to Build

712 views

Published on

Speaker: Chris Le Roy

Containers,Cloud,DevOps and SDLC are all terms that are increasing in terms of usage in the InfoSec world. In this talk, we discuss how a container exploitation tool (BOtB) was developed to identify and autopwn common vulnerabilities in container technologies such as Docker and LXC and how this tool was used in a modern SDLC environment using common CI/CD technologies to identify, exploit and remediate container vulnerabilities before releases were made to production.

In this talk we elaborate on how and why BOtB was built to be used by pentesters to exploit container vulnerabilities and how BOtB can be used by engineers to secure their container environments. The talk will also explain the technical details around the vulnerabilities that can be exploited by BOtB.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Build to Hack, Hack to Build

  1. 1. Build to Hack, Hack to BuildBuild to Hack, Hack to Build
  2. 2. WhoamiWhoami My name is Chris Le Roy Platform Security Engineer @Heroku You can find me on the cyberz with @brompwnie I like hacking stuff, I like building stuff Web, Windows, Android, Containers
  3. 3. AgendaAgenda The Problem Existing Research Introducing BOtB BOtB Capabilities and Integration Conclusion
  4. 4. What are the Problems?What are the Problems? In a modern cloud-devops-SDLC-Agile Environment How do we identify and exploit container vulnerabilities? How do we test, secure and monitor our containers?
  5. 5. Existing ResearchExisting Research AmIContained Linux SECCOMP and CAPS, LXC or Docker GoogleContainerTools container-structure-test is a great to tool to analyze images (static) Clair Vulnerability Static Analysis for Containers Aqua Security Docker-benchmark against CIS Docker Benchmark
  6. 6. How do I like to solveHow do I like to solve problems?problems?
  7. 7. Pwn all the ThingsPwn all the Things Break Out The Box (BOtB) https://github.com/brompwnie/botb Written in Go Ability to autopwn common Container vulnerabilities Ability to perform common Container recon functions (think Linux Post Exploitation) Options to implement abilities in a manner that is useful for pentesters and engineers
  8. 8. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock Hacking containers 101 method Using Docker from within a container <- don’t do this This can allows us to break out of containers Local PrivEsc to ROOT
  9. 9. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock Step 1: Identify docker.sock in container Step 2: Interact with docker.sock via cURL or Docker Client Create a new container and mount the host’s filesystem Step 4: docker run -ti newContainer chroot mount in Step 3 as root Step 5: L00t
  10. 10. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock Looking for UNIX sockets in containers can be tricky Living off the land (LOTL) of a container has problems Useful commands to find domain sockets not available i.e find/ss/netstat etc
  11. 11. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock docker.sock might not be mounted at: /var/run/docker.sock You have to find these sockets /moo/bob
  12. 12. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock Syscalls might be available to perform the task you need
  13. 13. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock Container Breakout with BOtB
  14. 14. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock BOtB can be used to drop into an interactive TTY on the underlying host (Pentester) BOtB can be used to exploit the exposed docker.sock but not drop into an interactive TTY (Engineer) Return code > 0 No need to install additional packages to utilise the capabilities
  15. 15. Pwn all the Things: Docker.sockPwn all the Things: Docker.sock BOtB integrated with CI
  16. 16. But there's more to Pwn...But there's more to Pwn...
  17. 17. Pwn all the Things: PrivilegedPwn all the Things: Privileged Docker, --Privileged Dangerous SYSCALL's and CAPS --cap-add=SYS_ADMIN Easy container escapes
  18. 18. Pwn all the Things: --PrivilegedPwn all the Things: --Privileged
  19. 19. Pwn all the Things: ENVPwn all the Things: ENV Container implementations utilise Env Not container specific but very prevalent Good ‘ol ENV i.e PATH etc Proc filesystem is your friend too /proc/{pid}/Environ This location can have more than you bargained for Just because you cleared ENV, does not imply that /proc/{pid}/Environ has been cleared
  20. 20. Pwn all the Things: ENVPwn all the Things: ENV BOtB has the ability to access ENV and /proc/environ ENV variables can accessed via "os.Environ()" Environ returns a copy of strings representing the environment, in the form "key=value" Accessing /proc/{pid}/Environ can get tricky Ephemerality General Linux Proc FS mechanics
  21. 21. Pwn all the Things: ENVPwn all the Things: ENV
  22. 22. Pwn all the Things: ENVPwn all the Things: ENV
  23. 23. Pwn all the Things: ENVPwn all the Things: ENV BOtB integrated with CI
  24. 24. Pwn all the Things: MetaPwn all the Things: Meta Clouds are a favourite spot for Containers Because of this, metadata services are available Common endpoint for AWS, GCP, Azure etc http://169.254.169.254 This endpoint can be used for many things Perform certain actions on the platform curl http://169.254.169.254/latest/meta- data/iam/security-credentials/s3access Platform Specific
  25. 25. Pwn all the Things: MetaPwn all the Things: Meta Metadata services are one type of API There may be many other API’s exposed Control Plane API’s i.e K8 These endpoints may be lurking in your Cloud Potentially accessible from a container EC2 Classic, "instances run in a single, flat network that you share with other customers" Back to Container quirks You don’t always have nmap,cURL, ifconfig, ip etc
  26. 26. Pwn all the Things: MetaPwn all the Things: Meta BOtB searching for metadata
  27. 27. Recon is fun but...Recon is fun but...
  28. 28. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Container binaries are often utilised to perform actions by entities outside of the container docker exec Trusts command explicitly
  29. 29. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Kubectl cp Calls the container’s TAR binary Victim of a recent attack https://www.twistlock.com/labs- blog/disclosing-directory-traversal- vulnerability-kubernetes-copy-cve-2019- 1002101/
  30. 30. At some point in yourAt some point in your Container’s execution, a binaryContainer’s execution, a binary might be executedmight be executed
  31. 31. Hijack all the binaries!Hijack all the binaries!
  32. 32. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Warning! Here be dragons This could break stuff, you are modifying the container and its contents
  33. 33. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Step 1: Determine if you have +rw perms to /bin, /sbin, /usr/bin Step 2: Create a malicious executable that does something Webhook, fuzz, etc Step 3: Replace everything in /bin, /sbin,/usr/bin with your malicious “binary” and chmod +x L00t
  34. 34. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Prepping a malicious executable Capturing the command that was called (hijacked) "$0" Capturing the first 3 params "$1,$2,$3"
  35. 35. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Hijacking binaries, bash into submission
  36. 36. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking Receiving callbacks is interesting Could happen 1min, 5min, 1hr, next week Tokens in cURL commands Prevent logic from occuring Unexpected output General Borkage
  37. 37. Pwn all the Thinings: BinaryPwn all the Thinings: Binary HijackingHijacking
  38. 38. But wait, there's more!But wait, there's more!
  39. 39. Pwn all the Things: CVE:-???Pwn all the Things: CVE:-??? There’s a few issues that we can have phun with CVE-2014-6271 (Shellshock/Bashbug) Docker Shocker DirtyCow CVE-2017-5123 (waitid privesc) CVE-2019-5736 (RunC)
  40. 40. Pwn all the ThingsPwn all the Things CVE-2019-5736 Similar to hijacking binaries You are hijacking the runC binary on the host Issue in how runC spawns a new process in a Container
  41. 41. Pwn all the ThingsPwn all the Things CVE-2019-5736 Last resort exploit If successful, this will break the underlying Container runtime You need root(Docker) and privileged Container(LXC) runC binary is owned by root
  42. 42. Pwn all the ThingsPwn all the Things CVE-2019-5736 We can make use of our binary hijacking strategy We replace runC with a web hook function to our endpoint It will break Docker but at least will know if it is vulnerable or get a shell
  43. 43. Pwn all the ThingsPwn all the Things Breaking out with CVE-2019-5736
  44. 44. ConclusionConclusion BOtB can be used by both pentesters and engineers Use it to get shells or verify exploitability Use it to test within your SDLC Environment and get feedback Feedback is either immediate or not We are identifying and exploiting both immediate and delayed vulnerabilities
  45. 45. ConclusionConclusion https://github.com/brompwnie/botb
  46. 46. ReferencesReferences https://docs.docker.com/engine/security/https/ https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cp https://docs.docker.com/engine/reference/commandline/exec/ https://github.com/GoogleContainerTools/container-structure-test https://github.com/coreos/clair https://github.com/aquasecurity/docker-bench https://www.cisecurity.org/benchmark/docker/ https://github.com/Frichetten/CVE-2019-5736-PoC https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/ https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes- copy-cve-2019-1002101/ https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ https://github.com/singe/container-breakouts

×